BigFix Client Compliance Windows (IPSec Framework)

The BigFix Client Compliance Windows (IPSec Framework) Fixlet site provides self-quarantine capabilities using the BigFix Client Compliance extension. In this solution, the BES Client restricts or enables inbound and outbound network connectivity based on the compliance status of the computer (but still passing BES network traffic to allow management of the computer through BES).

The following Fixlets, Task and Analysis are available in the BigFix Client Compliance Windows (IPSec Framework):
  • Fixlets:
    • IPSec - Automatically Quarantine New Clients
    • IPSec - Determine Compliance
    • IPSec - Quarantine Needed
    • IPSec - Quarantine No Longer Needed
  • Task:
    • IPSec - Quarantine Override
  • Analysis:
    • IPSec - Compliance Evaluation Information
To access BigFix Client Compliance Windows (IPSec Framework), select BigFix Management > Manage Sites > External Sites > BigFix Client Compliance (IPSec Framework) > Fixlets and Tasks or Analyses .

Fixlets

IPSec - Automatically Quarantine New Clients
This Fixlet message ensures that when a new workstation computer or client endpoint first joins the network, it will be quarantined. This Fixlet message should be applied before any other IPSec Fixlet messages. It is recommended that you deploy this as a policy action to ensure that any new computers joining the network will be automatically quarantined until it can be determined that they are compliant.
IPSec - Determine Compliance
This Fixlet message determines if a client computer is compliant with the security standards defined in the compliance document. The Fixlet message will become relevant periodically (the current setting is every 5 minutes). It is recommended that you deploy this Fixlet as a policy action so that the compliance status of computers on the network will be periodically evaluated.
IPSec - Quarantine Needed
If the computer in question is NOT in compliance and is NOT already in quarantine, then this Fixlet message will quarantine the computer, leaving ONLY the communication between the BES client and the BES server open. When you take this action from the BES console, use the options under the Message tab to send a notification message to users. It is recommended that you deploy this Fixlet message as a policy action.
IPSec - Quarantine No Longer Needed
If a client computer is quarantined and it is compliant, then this Fixlet will remove the computer from quarantine. When you take this action from the BES console, use the options under the Message tab to send a notification message to users. It is recommended you deploy this Fixlet message as a policy action.

Task

IPSec - Quarantine Override
This task will take a computer out of quarantine regardless of its compliance status. This is meant to be a temporary measure to release a computer from quarantine. The action will install a compliance document containing one compliance expression that always evaluate to true, causing the client to be compliant. The next part of the action takes the computer out of quarantine. This two-part action ensures that any policy actions already in effect will not return the computer to the quarantined state.

Analysis

IPSec - Compliance Evaluation Information
Retrieves the current compliance and quarantine statuses on computers with the BigFix Client Compliance extension installed.
Note:
  1. The "Compliance Status" is calculated based on the results of the last compliance evaluation, while the "Quarantine Status" property is determined by the results of quarantine actions. A computer that is out of quarantine is not necessarily in compliance, and vice versa. If the compliance and quarantine statuses are inconsistent, make sure that you determine compliance and quarantine policy actions are set up correctly.
  2. Once a client computer has been quarantined, the BES console administrator should apply any necessary Fixlet messages or custom actions to bring that computer into compliance. At that time, the "IPSec - Quarantine No Longer Needed" Fixlet message will become relevant, and it can be removed from quarantine. The BES console administrator can automate remediation and removal of computers from quarantine by deploying the appropriate Fixlet messages as policy actions.
  3. This Fixlet site is designed to be used in conjunction with the "BigFix Client Compliance Windows (IPSec Framework)" Fixlet site. For more Information on BigFix Client Compliance visit https://support.bigfix.com/bes/sites/clientcompliance.html.